In my previous post, Never let your guard down, I emphasized the need for a security operation process to better face known and unknown attacks with automation and hunting. However, I intentionally left out a key ingredient… THEALERT (or incident or indicator or investigation or whatever you call it). Before an analyst can make a decision and assign an appropriate course of action (automated or manual), they need to understand what they’re looking at, where the alert came from, what triggered the alert, who is involved, what is involved (e.g. server, host), were there any similar alerts in the past, … you get the point. The major challenge in answering these questions lies in the current state of siloed bursts of context-unaware alerts and the transition to context-aware incident management. There is an obvious need to give THE ALERT, some well-deserved, first-class citizen treatment!

Looking back about twenty years ago, security analysts were also outnumbered by the volume of alerts generated. However, one (huge) difference was the attack surface. The increasing attack surface across cloud infrastructure-as-a-service (IaaS) and cloud applications (SaaS), mobile, virtualization, BYOE(ndpoint), Industrial Control Systems (ICS) and general OT environments is more open than ever. This triggered an exponential growth in alerts created. The capabilities to support that explosion of alerts (what we all know as alert fatigue) lagged behind.

Which led me to ask, what are the most common actions a (Read more...)

Useful Links

Other Mediaops Sites

Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.